VBS:MailWorm-gen [Wrm] false positive

There’s a thread in the Tek-Tips VBScript forum asking for help with a mail script issue that I believe is being erroneously flagged as VBS:MailWorm-gen [Wrm]. I don’t see anything wrong with the code… nor any hidden iframes, images, etc, so believe this to be a false positive.

The thread in question is here:

http://www.tek-tips.com/viewthread.cfm?qid=1614174

Dan

I think that the problem is the use of actual code rather than an image of the said code in the page and avast is alerting on that code.

Now I don’t know if could be malicious, but that is most certainly why. Only avast and GData detect this and since GData uses avast as one of its two scanners, that really counts as one detection, so it is likely to be an FP. So it needs further investigation.

http://www.virustotal.com/analisis/635bd51aab91a7708dfc61b3f25a7277a020486711ca68e367251917b29a4774-1280531784

I have submitted a sample for analysis, see image.

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

The site admins at Tek-Tips have fixed the code so it no longer appears as a false positive. Do you still wish me to edit the URL?

Dan

Well I don’t know what they fixed (no alert now), possibly the part that they have wrapped in a Code tag, but it is always an issue when posting code that may either be used maliciously or appear that way.

However, having said that I believe that it was avast correcting the detection signature as the sample that I submitted for analysis and retained in the avast chest is no longer detected.

Now it has been resolved there is no real need to modify the URL, it is just good practice when giving a link to what may be a suspect site.